samba - Nov 2014 - DC2 d­enie­s ac­cess­ whe­n sa­­ving ­throu­gh th­e Gro­

> OK, make sure that the two idmap.ldb files match and then run 
> 'samba-tool ntacl sysvolreset' on both machines and see if this
cured
> this problem.
I did:

root at dc1:~$ service sernet-samba-ad stop
root at dc2:~$ service sernet-samba-ad stop
root at dc2:~$ mv /var/lib/samba/private/idmap.ldb /root/idmap.ldb.bak
root at dc1:~$ scp /var/lib/samba/private/idmap.ldb dc2:/var/lib/samba/private/

then I ensured that /var/lib/samba/private/idmap.ldb is exactly the same on dc1
and dc2. then...

root at dc1:~$ samba-tool ntacl sysvolreset
root at dc2:~$ samba-tool ntacl sysvolreset
root at dc1:~$ service sernet-samba-ad start
root at dc2:~$ service sernet-samba-ad start

to be sure again I execute the sysvolreset command...

root at dc1:~$ samba-tool ntacl sysvolreset
root at dc2:~$ samba-tool ntacl sysvolreset

but when I execute "samba-tool ntacl sysvolcheck" I still get the
uncaught exception error on dc1 and dc2 :(
Hi again,

I followed
https://wiki.samba.org/index.php/SysVol_Bidirectional_Replication#When_you_try_to_resync_the_folder
and did a manual resync from dc1:/var/lib/samba/sysvol to
dc2:/var/lib/samba/sysvol so I had a consistency again. The "samba-tool
ntacl sysvolcheck" still fails with the uncaught exception error and I am
not sure if this is a good sign. But independent of that I think I know why I am
running into the issue that I described on that thread:

When I add a new GPO on DC1, it has following owner and file mode:

drwxrwx---+  4  502     500 4,0K Nov  1 22:22
{1AC9641E-1234-47C7-8D8C-43A199220635}

The owner of this new Group Policy Object is 502. That is my domain user
"foo" which I has assigned the NIS/UNIX attribute uid=502 to. The
group is 500 which is the gid=500 of my domain group "Domain
Admins".After 5minutes the sysvol-sync (unison+rsync) is syncing that
object successfully to DC2. When I do "ls -lh" on DC2 I get the same
output. So fine so good, everything works fine and as expected until now.

Now we do the reverse thing. I create a new GPO on DC2. The file mode on DC2
looks like that:

drwxrwx---+  3  502     500 4,0K Nov  1 22:29
{A783C43A-9DCA-434A-B28A-5E7D9C01EFD7}

As we see the owner still is 502 that is equal to domain user "foo"
and group id 500 which is "Domain Admins". After this object is synced
to DC1, the object on DC1 thugh looks like that:

drwxr-x---+  3 root root    4,0K Nov  1 22:30
{A783C43A-9DCA-434A-B28A-5E7D9C01EFD7}

So here's the culprit ==> When the unison/rsync bidirectional is syncing
objects from DC1 to DC2 all is ok,the same owner and file attributes are synced.
But objects synced from DC2 to DC1 change their owner/group and also the file
modes. But *WHY* ? Is that a misconfiguration in the unison/rsync tutorial shown
on https://wiki.samba.org/index.php/SysVol_Bidirectional_Replication

Mirco.

We see, the owner still is "foo" with uid=500 > Do things work if
you test as "Administrator" (root) ?
> achim?
Unfortunately not... when I login with "MYDOM\Administrator" on DC2
and cretae a new GPO it looks like that on DC2:

drwxrwx---+ 4 root     500 4,0K Nov  2 00:52
{562AB030-6351-42C1-9850-D5B12BF45570}

As soon as sysvol sync runs the directory on DC1 looks like that:

drwxr-x---+ 3 root root    4,0K Nov  2 00:55
{562AB030-6351-42C1-9850-D5B12BF45570}

On this step, I even can't edit the GPO on DC2 where it worked before the
unison sync started. That means, that after unison runs something is written
also on the DC2 side, because DC2 won't let me allow to edit the GPO
anymore. At this step, the GPO seems already to be not accessible.

The summary is:
----------------------
Whatever I create/modify on DC2 will be broken after the unison/bi-directional
sync is run.
Whatever I add/modify on DC1 works 100% fine and lets me edit it either through
DC1 or DC2.

==> GPO's created initially on DC2 will not be editable after unison has
run, neither on DC1 and nor on DC2.
==> GPO's created initially on DC1 will be editable after unison has run
on both DC1 and DC2

This is not what one would expect though, because I did expect I also can
edit/add objects on DC2, but as I explained this is broken somehow.
Any dev know more about that? I'm looking forward to hear from you.

Mirco.

Referring to Marc Muehlefeld who has wrote the script and the tutorial for
unison/rsync bi-directional sysvol sync and this thread:

http://samba.2283325.n4.nabble.com/Samba4-AD-SysVol-Replication-HowTo-Script-td4651469.html

I think the inconsistence comes from the unison/rsync stuff. As Andreas on the
mentioned thread said, csync is not capable of syncing extended ACL attributes
which is necessary for sysvol syncing. But hey, I though about
"csync2". But the PDF here (http://oss.linbit.com/csync2/paper.pdf)
says it's not capable of syncing these extended ACL attributes, too. Damn
it! :( So it seems that "rsync" is the only tool out there that can
sync extended attributes through the -X switch? So, where's the problem then
I am facing at the moment? Is it unison on any way?

Mirco.

Hi all,

Just to check. 
Did the rsync and unison in the distor are compile with xattr?

Would that be the cause?

Regards, 
Chan Min Wai 

?icro MEGAS <micromegas at mail333.com> ? 2 Nov 2014 8:07 PG ???
>> OK, make sure that the two idmap.ldb files match and then run 
>> 'samba-tool ntacl sysvolreset' on both machines and see if this
cured
>> this problem.
> 
> I did:
> 
> root at dc1:~$ service sernet-samba-ad stop
> root at dc2:~$ service sernet-samba-ad stop
> root at dc2:~$ mv /var/lib/samba/private/idmap.ldb /root/idmap.ldb.bak
> root at dc1:~$ scp /var/lib/samba/private/idmap.ldb
dc2:/var/lib/samba/private/
> 
> then I ensured that /var/lib/samba/private/idmap.ldb is exactly the same on
dc1 and dc2. then...
> 
> root at dc1:~$ samba-tool ntacl sysvolreset
> root at dc2:~$ samba-tool ntacl sysvolreset
> root at dc1:~$ service sernet-samba-ad start
> root at dc2:~$ service sernet-samba-ad start
> 
> to be sure again I execute the sysvolreset command...
> 
> root at dc1:~$ samba-tool ntacl sysvolreset
> root at dc2:~$ samba-tool ntacl sysvolreset
> 
> but when I execute "samba-tool ntacl sysvolcheck" I still get the
uncaught exception error on dc1 and dc2 :(
> Hi again,
> 
> I followed
https://wiki.samba.org/index.php/SysVol_Bidirectional_Replication#When_you_try_to_resync_the_folder
and did a manual resync from dc1:/var/lib/samba/sysvol to
dc2:/var/lib/samba/sysvol so I had a consistency again. The "samba-tool
ntacl sysvolcheck" still fails with the uncaught exception error and I am
not sure if this is a good sign. But independent of that I think I know why I am
running into the issue that I described on that thread:
> 
> When I add a new GPO on DC1, it has following owner and file mode:
> 
> drwxrwx---+  4  502     500 4,0K Nov  1 22:22
{1AC9641E-1234-47C7-8D8C-43A199220635}
> 
> The owner of this new Group Policy Object is 502. That is my domain user
"foo" which I has assigned the NIS/UNIX attribute uid=502 to. The
group is 500 which is the gid=500 of my domain group "Domain
Admins".After 5minutes the sysvol-sync (unison+rsync) is syncing that
object successfully to DC2. When I do "ls -lh" on DC2 I get the same
output. So fine so good, everything works fine and as expected until now.
> 
> Now we do the reverse thing. I create a new GPO on DC2. The file mode on
DC2 looks like that:
> 
> drwxrwx---+  3  502     500 4,0K Nov  1 22:29
{A783C43A-9DCA-434A-B28A-5E7D9C01EFD7}
> 
> As we see the owner still is 502 that is equal to domain user
"foo" and group id 500 which is "Domain Admins". After this
object is synced to DC1, the object on DC1 thugh looks like that:
> 
> drwxr-x---+  3 root root    4,0K Nov  1 22:30
{A783C43A-9DCA-434A-B28A-5E7D9C01EFD7}
> 
> So here's the culprit ==> When the unison/rsync bidirectional is
syncing objects from DC1 to DC2 all is ok,the same owner and file attributes are
synced. But objects synced from DC2 to DC1 change their owner/group and also the
file modes. But *WHY* ? Is that a misconfiguration in the unison/rsync tutorial
shown on https://wiki.samba.org/index.php/SysVol_Bidirectional_Replication
> 
> Mirco.
> 
> We see, the owner still is "foo" with uid=500 > Do things work
if you test as "Administrator" (root) ?
>> achim?
> 
> Unfortunately not... when I login with "MYDOM\Administrator" on
DC2 and cretae a new GPO it looks like that on DC2:
> 
> drwxrwx---+ 4 root     500 4,0K Nov  2 00:52
{562AB030-6351-42C1-9850-D5B12BF45570}
> 
> As soon as sysvol sync runs the directory on DC1 looks like that:
> 
> drwxr-x---+ 3 root root    4,0K Nov  2 00:55
{562AB030-6351-42C1-9850-D5B12BF45570}
> 
> On this step, I even can't edit the GPO on DC2 where it worked before
the unison sync started. That means, that after unison runs something is written
also on the DC2 side, because DC2 won't let me allow to edit the GPO
anymore. At this step, the GPO seems already to be not accessible.
> 
> The summary is:
> ----------------------
> Whatever I create/modify on DC2 will be broken after the
unison/bi-directional sync is run.
> Whatever I add/modify on DC1 works 100% fine and lets me edit it either
through DC1 or DC2.
> 
> ==> GPO's created initially on DC2 will not be editable after unison
has run, neither on DC1 and nor on DC2.
> ==> GPO's created initially on DC1 will be editable after unison has
run on both DC1 and DC2
> 
> This is not what one would expect though, because I did expect I also can
edit/add objects on DC2, but as I explained this is broken somehow.
> Any dev know more about that? I'm looking forward to hear from you.
> 
> Mirco.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On 02/11/14 00:07, ?icro MEGAS wrote:
>> OK, make sure that the two idmap.ldb files match and then run
>> 'samba-tool ntacl sysvolreset' on both machines and see if this
cured
>> this problem.
> I did:
>
> root at dc1:~$ service sernet-samba-ad stop
> root at dc2:~$ service sernet-samba-ad stop
> root at dc2:~$ mv /var/lib/samba/private/idmap.ldb /root/idmap.ldb.bak
> root at dc1:~$ scp /var/lib/samba/private/idmap.ldb
dc2:/var/lib/samba/private/
>
> then I ensured that /var/lib/samba/private/idmap.ldb is exactly the same on
dc1 and dc2. then...
>
> root at dc1:~$ samba-tool ntacl sysvolreset
> root at dc2:~$ samba-tool ntacl sysvolreset
> root at dc1:~$ service sernet-samba-ad start
> root at dc2:~$ service sernet-samba-ad start
>
> to be sure again I execute the sysvolreset command...
>
> root at dc1:~$ samba-tool ntacl sysvolreset
> root at dc2:~$ samba-tool ntacl sysvolreset
>
> but when I execute "samba-tool ntacl sysvolcheck" I still get the
uncaught exception error on dc1 and dc2 :(
> Hi again,
>
> I followed
https://wiki.samba.org/index.php/SysVol_Bidirectional_Replication#When_you_try_to_resync_the_folder
and did a manual resync from dc1:/var/lib/samba/sysvol to
dc2:/var/lib/samba/sysvol so I had a consistency again. The "samba-tool
ntacl sysvolcheck" still fails with the uncaught exception error and I am
not sure if this is a good sign. But independent of that I think I know why I am
running into the issue that I described on that thread:
>
> When I add a new GPO on DC1, it has following owner and file mode:
>
> drwxrwx---+  4  502     500 4,0K Nov  1 22:22
{1AC9641E-1234-47C7-8D8C-43A199220635}
>
> The owner of this new Group Policy Object is 502. That is my domain user
"foo" which I has assigned the NIS/UNIX attribute uid=502 to. The
group is 500 which is the gid=500 of my domain group "Domain
Admins".After 5minutes the sysvol-sync (unison+rsync) is syncing that
object successfully to DC2. When I do "ls -lh" on DC2 I get the same
output. So fine so good, everything works fine and as expected until now.
NIS/UNIX attribute uid=502 ????? I hope you mean 'uidNumber=502'

Rowland
>
> Now we do the reverse thing. I create a new GPO on DC2. The file mode on
DC2 looks like that:
>
> drwxrwx---+  3  502     500 4,0K Nov  1 22:29
{A783C43A-9DCA-434A-B28A-5E7D9C01EFD7}
>
> As we see the owner still is 502 that is equal to domain user
"foo" and group id 500 which is "Domain Admins". After this
object is synced to DC1, the object on DC1 thugh looks like that:
>
> drwxr-x---+  3 root root    4,0K Nov  1 22:30
{A783C43A-9DCA-434A-B28A-5E7D9C01EFD7}
>
> So here's the culprit ==> When the unison/rsync bidirectional is
syncing objects from DC1 to DC2 all is ok,the same owner and file attributes are
synced. But objects synced from DC2 to DC1 change their owner/group and also the
file modes. But *WHY* ? Is that a misconfiguration in the unison/rsync tutorial
shown on https://wiki.samba.org/index.php/SysVol_Bidirectional_Replication
>
> Mirco.
>
> We see, the owner still is "foo" with uid=500 > Do things work
if you test as "Administrator" (root) ?
>> achim?
> Unfortunately not... when I login with "MYDOM\Administrator" on
DC2 and cretae a new GPO it looks like that on DC2:
>
> drwxrwx---+ 4 root     500 4,0K Nov  2 00:52
{562AB030-6351-42C1-9850-D5B12BF45570}
>
> As soon as sysvol sync runs the directory on DC1 looks like that:
>
> drwxr-x---+ 3 root root    4,0K Nov  2 00:55
{562AB030-6351-42C1-9850-D5B12BF45570}
>
> On this step, I even can't edit the GPO on DC2 where it worked before
the unison sync started. That means, that after unison runs something is written
also on the DC2 side, because DC2 won't let me allow to edit the GPO
anymore. At this step, the GPO seems already to be not accessible.
>
> The summary is:
> ----------------------
> Whatever I create/modify on DC2 will be broken after the
unison/bi-directional sync is run.
> Whatever I add/modify on DC1 works 100% fine and lets me edit it either
through DC1 or DC2.
>
> ==> GPO's created initially on DC2 will not be editable after unison
has run, neither on DC1 and nor on DC2.
> ==> GPO's created initially on DC1 will be editable after unison has
run on both DC1 and DC2
>
> This is not what one would expect though, because I did expect I also can
edit/add objects on DC2, but as I explained this is broken somehow.
> Any dev know more about that? I'm looking forward to hear from you.
>
> Mirco.